The overwhelming majority of security tokens used today on the web are bearer tokens (e.g. HTTP cookies, OpenID Connect ID tokens, SAML assertions, OAuth tokens). Any party in possession of a bearer token is able to use it to gain access to the associated protected resources, which makes them a highly attractive target for attackers. Although there have been many efforts to provide better than bearer security, none have achieved widespread deployment success. Token Binding is new IETF protocol that enables strong cryptographic defenses against the use of stolen security tokens and, with a novel approach and the backing of some very significant industry players, has the potential to find the success that’s been elusive to previous attempts. This session will provide an overview of how Token Binding works and its application to higher level protocols like OpenID Connect and OAuth. Some bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.

1. © 2017 Brian Campbell 1
Beyond Bearer
Token Binding as the Foundation for a More Secure Web
BRIAN CAMPBELL
@__b_c
featuring guest contributor
MICHAEL B. JONES
@selfissued
© 2017 Brian Campbell

2. © 2017 Brian Campbell 2
Formalities, Introductions, Safe Harbor, etc.
• Working for Ping Identity since ’04
– Product Development & Standards
– Contributions from Mike Jones, Identity
Standards Architect at Microsoft
• Pretending to have a different career
via CIS since ’11
– Presentation MAY contain gratuitous
photos
– gratuitous photos
• Presentation may contain forward-
looking statements and no investment
or purchasing decisions should be made
based on the content herein
– Except to hire a photographer for an
obscene amount of money
"L'Arroseur Arrosé”
by
David Brossard

3. © 2017 Brian Campbell 3
Formalities, Introductions, Safe Harbor, etc.
• Working for Ping Identity since ’04
– Product Development & Standards
– Contributions from Mike Jones, Identity
Standards Architect at Microsoft
• Pretending to have a different career
via CIS since ’11
– Presentation MAY contain gratuitous
photos
• This presentation may contain forward-
looking statements and no investment
or purchasing decisions should be made
based solely on the content herein
– Except to hire a photographer for an
obscene amount of money
"L'Arroseur arrosé”
By
David Brossard

4. © 2017 Brian Campbell 4
The Problem With Bearer Tokens
One truth and a lie

5. © 2017 Brian Campbell 5
Make HTTP Stateful Again!
HttpOnlysecure
The archetypal bearer token

6. © 2017 Brian Campbell 6
Single Page Apps
(everyone is doing it)
it's like déjà vu all over again with XSS and local storage

7. © 2017 Brian Campbell 7
Token Binding
• Enables a long-lived binding via client
generated public-private key pair used
to sign TLS exported keying material
and sent as an HTTP header
© 2017 Brian Campbell

8. © 2017 Brian Campbell 8

9. © 2017 Brian Campbell 9© 2017 Brian Campbell

10. © 2017 Brian Campbell 10
Hello! Do you like my extension?

11. © 2017 Brian Campbell 11
Do you even bind tokens, bro?
Client Server
ClientHello
...
token_binding [24]
token_binding_version [1,0]
key_parameters_list [2,0]
ServerHello
...
token_binding [24]
token_binding_version [1,0]
key_parameters_list [2]
Key Parameters:
(0) rsa2048_pkcs1.5
(1) rsa2048_pss
(2) ecdsap256
Also need extenstions:
Extended Master Secret
Renegotiation Indication
TLS Handshake

12. © 2017 Brian Campbell 12
Token Binding over HTTPS
Client Server
GET /stuff HTTP/1.1
Host: example.com
Sec-Token-Binding: AIkAAgBBQLgtRpWFPN66kxhxGrtaKrzcMtHw7HV8
yMk_-MdRXJXbDMYxZCWnCASRRrmHHHL5wmpP3bhYt0ChRDbsMapfh_QAQ
N1He3Ftj4Wa_S_fzZVns4saLfj6aBoMSQW6rLs19IIvHze7LrGjKyCfPT
KXjajebxp-TLPFZCc0JTqTY5_0MBAAAA
HTTP Request
• Encoded Token Binding Message
– (1 or more) Token Bindings
• Type (provided / referred)
• Token Binding ID (key type and public key)
• Signature over type, key type, and EKM (TLS Exported Keying Material)
• Extensions
• Proves possession of the private key on the TLS connection
• Keys are long-lived and span TLS connections

13. © 2017 Brian Campbell 13
Binding Cookies
• The most straightforward application binds a cookie to the Token Binding key
• Server associates Token Binding ID with cookie & checks on subsequent use
• Augments existing authentication and session mechanisms
• Transparent to users
• Deployment can be phased in

14. © 2017 Brian Campbell 14
Okay, Just Take It Easy Privacy Nerds Advocates
• Token Binding is not a
supercookie or new big brother
tracking mechanism
• Client generates a unique key
pair per effective top-level
domain + 1 (eTLD+1)
– E.g., example.com, www.example.com,
and etc.example.com share binding but
not example.org or example.co.uk
• Same scoping rules and privacy
implications as cookies
© 2017 Brian Campbell

15. © 2017 Brian Campbell 15
But what if we need 2Federate?
There’s an HTTP response header for that! Tells the browser that it should reveal the Token Binding ID used
between itself and the RP (referred) in addition to the one used between itself and the IDP (provided).
Browser
Identity Provider (IDP)Relying Party (RP)
HTTP/1.1 302 Found
Location: https://idp.example.com
Include-Referred-Token-Binding-ID: true
GET / HTTP/1.1
Host: idp.example.com
Sec-Token-Binding: ARIAAgBBQB-XOPf5ePlf7ikATiAFEGOS503
lPmRfkyymzdWwHCxl0njjxC3D0E_OVfBNqrIQxzIfkF7tWby2Zfya
E6XpwTsAQBYqhFX78vMOgDX_Fd_b2dlHyHlMmkIz8iMVBY_reM98O
UaJFz5IB7PG9nZ11j58LoG5QhmQoI9NXYktKZRXxrYAAAECAEFAdU
FTnfQADkn1uDbQnvJEk6oQs38L92gv-KO-qlYadLoDIKe2h53hSiK
wIP98iRj_unedkNkAMyg9e2mY4Gp7WwBAeDUOwaSXNz1e6gKohwN4
SAZ5eNyx45Mh8VI4woL1BipLoqrJRoK6dxFkWgHRMuBROcLGUj5Pi
OoxybQH_Tom3gAA
I'll tell you what
I'd do, man, two
bindings at the
same time, man.

16. © 2017 Brian Campbell 16
Token Binding for OpenID Connect
• Utilizes the Include-
Referred-Token-
Binding-ID header
and the Referred
Token Binding
• Binds the ID Token to
the Token Binding ID
the browser uses
between itself and the
Relying Party
• Uses token binding hash
“tbh” member of the
confirmation claim
“cnf”

17. © 2017 Brian Campbell 17
“Demo”
• Showing a bound:
– ID Token SSO
– Session Cookie
Browser
Identity Provider (IDP)
https://idp.example.com
Relying Party (RP)
https://rp.example.io:3000
http://httpbin.org/

18. © 2017 Brian Campbell 18
Unauthenticated access request to RP
is redirected for SSO

19. © 2017 Brian Campbell 19
Authentication request
to the IDP

20. © 2017 Brian Campbell 20
ID Token
delivered to RP

21. © 2017 Brian Campbell 21
Authenticated
access to RP

22. © 2017 Brian Campbell 22
“Demo” Finished

23. © 2017 Brian Campbell 23
Token Binding for OAuth Too
• Access tokens with
referred Token
Binding ID
• Refresh tokens with
provided Token
Binding ID
• Authorization codes
via PKCE
– Native app clients
– Web server clients

24. © 2017 Brian Campbell 24
But What about Client Certificates?
• “rarely used in end-user applications” -
Wikipedia
• Seen specialized/niche deployments
rather than large scale
• Less than friendly user experience
– Comprehending
– Obtaining
– Using
– Logging out
– Portability
– Managing
• Privacy implications
RFC 5280 is X.509 Public
Key Infrastructure
Certificate Profile
Denver is nicknamed the
Mile-High City because of
its 5280 foot elevation
Blue Mustang is public art
at Denver International
Airport
Q.E.D.

25. © 2017 Brian Campbell 25
The Landscape (some of it anyway)
• Three IETF Token Binding specs soon to be RFCs
• Draft support
– Chrome and Edge/IE (others?!!)
– Global on Google servers (since Jan)
– .NET Framework (4.6 for server side)
– Open source
• OpenSSL (https://github.com/google/token_bind)
• Apache (https://github.com/zmartzone/mod_token_binding)
• NGINX (https://github.com/google/ngx_token_binding)
• Java (… er, yeah…)
– Online demo at https://www.ietf.org/mail-archive/web/unbearable/current/msg01332.html
• OpenID Connect Token Bound Authentication spec is coming along
• OAuth 2.0 Token Binding spec is coming along a bit behind that
• Working to spec how it’ll work with TLS terminating reverse proxies

26. © 2017 Brian Campbell 26
FIN
© 2015 Brian Campbell
BRIAN CAMPBELL
@__b_c
featuring guest contributor
MICHAEL B. JONES
@selfissued